On-demand service security system and method for managing a risk of access as a condition of permitting access to the on-demand service

ABSTRACT

Provided are mechanisms and methods for managing a risk of access to an on-demand service as a condition of permitting access to the on-demand service. These mechanisms and methods for providing such management can help prohibit an unauthorized user from accessing an account of an authorized user when the authorized user inadvertently loses login information. The ability to provide such management may lead to an improved security feature for accessing on-demand services.

CLAIM OF PRIORITY

This application is a continuation of U.S. application Ser. No.12/271,661, filed Nov. 14, 2008, which claims the benefit of U.S.Provisional Patent Application 60/988,263 entitled “ON DEMAND SERVICESECURITY SYSTEM AND METHOD,” by Forrest Junod et al., filed Nov. 15,2007, the entire contents of which are incorporated herein by reference.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

FIELD OF THE INVENTION

The current invention relates generally to on-demand services, and moreparticularly to providing security for such on-demand services.

BACKGROUND

The subject matter discussed in the background section should not beassumed to be prior art merely as a result of its mention in thebackground section. Similarly, a problem mentioned in the backgroundsection or associated with the subject matter of the background sectionshould not be assumed to have been previously recognized in the priorart. The subject matter in the background section merely representsdifferent approaches, which in and of themselves may also be inventions.

In conventional database systems, users access their data resources inone logical database. A user of such a conventional system typicallyretrieves data from and stores data on the system using the user's ownsystems. A user system might remotely access one of a plurality ofserver systems that might in turn access the database system. Dataretrieval from the system might include the issuance of a query from theuser system to the database system. The database system might processthe request for information received in the query and send to the usersystem information relevant to the request.

There is often a desire to provide security to the aforementioneddatabase systems. To date, however, these systems have been vulnerableto attacks such as phishing and other techniques used to access anaccount of a user. For example, such systems may become vulnerable whenlogin information of a user is obtained using a phishing site or akeystroke logger. As a result, the user account and organizationsassociated with the account are vulnerable to attack.

BRIEF SUMMARY

In accordance with embodiments, there are provided mechanisms andmethods for managing a risk of access to an on-demand service as acondition of permitting access to the on-demand service. Thesemechanisms and methods for providing such management can enableembodiments to help prohibit an unauthorized user from accessing anaccount of an authorized user when the authorized user inadvertentlyloses login information. The ability of embodiments to provide suchmanagement may lead to an improved security feature for accessingon-demand services.

In an embodiment and by way of example, a method is provided formanaging a risk of access to an on-demand service as a condition ofpermitting access to the on-demand service. In use, a request to accessan on-demand service is received from a requestor at one of a pluralityof entities. It is determined whether the request is from a sourceproviding a risk of access, the determination being based at least inpart on stored information associated with at least one of a pluralityof users or the one of the plurality of entities. Furthermore, the riskof access to the on-demand service by the requestor is managed as acondition of permitting the requestor to access the on-demand service.By this framework, the management of such risk may lead to an improvedsecurity feature for accessing on-demand services.

While the present invention is described with reference to an embodimentin which techniques for managing a risk of access to an on-demandservice may be implemented in an application server providing a frontend for a multi-tenant database on-demand service, the present inventionis not limited to multi-tenant databases or deployment on applicationservers. Embodiments may be practiced using other databasearchitectures, i.e., ORACLE®, DB2® and the like without departing fromthe scope of the embodiments claimed.

Any of the above embodiments may be used alone or together with oneanother in any combination. Inventions encompassed within thisspecification may also include embodiments that are only partiallymentioned or alluded to or are not mentioned or alluded to at all inthis brief summary or in the abstract. Although various embodiments ofthe invention may have been motivated by various deficiencies with theprior art, which may be discussed or alluded to in one or more places inthe specification, the embodiments of the invention do not necessarilyaddress any of these deficiencies. In other words, different embodimentsof the invention may address different deficiencies that may bediscussed in the specification. Some embodiments may only partiallyaddress some deficiencies or just one deficiency that may be discussedin the specification, and some embodiments may not address any of thesedeficiencies.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a method for managing a risk of access to anon-demand service as a condition of permitting access to the on-demandservice, in accordance with one embodiment.

FIG. 2 illustrates a system for managing a risk of access to anon-demand service as a condition of permitting access to the on-demandservice, in accordance with one embodiment.

FIG. 3 shows a method for managing a risk of access to an on-demandservice as a condition of permitting access to the on-demand service, inaccordance with another embodiment.

FIG. 4A shows a user interface for configuring the management of a riskto an on-demand service, in accordance with one embodiment.

FIG. 4B shows a user interface for configuring the management of a riskto an on-demand service, in accordance with another embodiment.

FIG. 4C shows a user interface for configuring the management of a riskto an on-demand service, in accordance with another embodiment.

FIG. 5 illustrates a block diagram of an example of an environmentwherein an on-demand database service might be used.

FIG. 6 illustrates a block diagram of an embodiment of elements of FIG.5 and various possible interconnections between these elements.

DETAILED DESCRIPTION

General Overview

Systems and methods are provided for managing a risk of access to anon-demand service as a condition of permitting access to the on-demandservice.

There is a desire to provide security to on-demand database systems. Todate, however, these systems have been vulnerable to attacks such asphishing and other techniques used to access an account of a user. Forexample, such systems may become vulnerable when login information of auser is obtained using a phishing site or a keystroke logger. As aresult, the user account and organizations associated with the accountare vulnerable to attack. Thus, mechanisms and methods are providedherein for managing a risk of access to an on-demand service as acondition of permitting access to the on-demand service. The ability ofembodiments to provide such management may lead to an improved securityfeature for accessing on-demand services.

Next, mechanisms and methods will be described for managing a risk ofaccess to an on-demand service as a condition of permitting access tothe on-demand service, in accordance with various exemplary embodiments.

FIG. 1 illustrates a method 100 for managing a risk of access to anon-demand service as a condition of permitting access to the on-demandservice, in accordance with one embodiment. As shown, a request toaccess an on-demand service is received from a requestor at one of aplurality of entities. See operation 102.

In the context of the present description, an on-demand service mayinclude any service that is accessible over a network. For example, inone embodiment, the on-demand service may include an on-demand databaseservice. In this case, an on-demand database service may include anyservice that relies on a database system that is accessible over anetwork.

Furthermore, in the context of the present description, an entity refersto any organization, company, individual, or corporation, etc. that mayutilize the on-demand service. The requestor may include any user orsystem capable of requesting access to the on-demand service. Therequestor may be associated with, and/or a member of, the one of theplurality of entities.

Once the request to access the on-demand service is received, it isdetermined whether the request is from a source providing a risk ofaccess, the determination being based at least in part on storedinformation associated with at least one of a plurality of users or theone of the plurality of entities. See operation 104. The risk of accessmay include a risk to the on-demand service, users, and/or entitiesassociated therewith. In this case, the determination may be based, atleast in part, on stored information associated with the plurality ofusers, the entity, or both.

For example, in one embodiment, determining whether the request is froma source providing the risk of access may be based at least in part onstored information associated with the plurality of users. In anotherembodiment, determining whether the request is from a source providingthe risk of access may be based at least in part on stored informationassociated with the one of the plurality of entities.

Furthermore, the plurality of users may each be associated with theentity. For example, the users may be members, employees,representatives, etc. of the entity. Additionally, the informationassociated with the users and the entity may include any type ofinformation, such as login information, subscription information,security information, computer or other device information, and/or anyother information.

Determining whether the request for access is from a source providing arisk of access may occur in a variety of ways. For example, in oneembodiment, determining whether the request is from a source providing arisk of access may include determining whether the request is from anunknown source. In this case, a list or database including a pluralityof known sources may be provided.

Thus, a source of the request may be compared to the list of knownsources. The sources may include entity sources and/or user sources. Forexample, information may be stored for a plurality of known entitiesand/or a plurality of users that may or may not be associated with thoseentities.

In another embodiment, determining whether the request is from a sourceproviding a risk of access may include determining whether the requestis from an unknown IP address. In this case, a list or databaseincluding a plurality of known IP addresses may be provided. Thus, an IPaddress of a source of the request may be compared to the list of knownIP addresses. The sources may include IP address associated with entitysources and/or user sources.

In still another embodiment, determining whether the request is from asource providing a risk of access may include determining whether therequest is from a known IP address. In this case, the known IP addressmay be associated with a known trusted source (e.g. a white-listedsource, etc.) or a known un-trusted source/e.g. a black-listed source,etc.).

As shown further in FIG. 1, the risk of access to the on-demand serviceby the requestor is managed as a condition of permitting the requestorto access the on-demand service. See operation 106. Managing the risk ofaccess to the on-demand service by the requestor as a condition ofpermitting the requestor to access the on-demand service may include avariety of management techniques.

For example, in one embodiment, managing the risk of access to theon-demand service by the requestor as a condition of permitting therequestor to access the on-demand service may include challenging therequestor to authenticate via email. In this case, an email may be sentto the requestor using an email address stored at or accessible by theon-demand service. The requestor may then authenticate any logincredentials utilizing information included in the email. Uponauthentication, the requestor may be permitted to access the on-demandservice.

In another embodiment, managing the risk of access to the on-demandservice by the requestor as a condition of permitting the requestor toaccess the on-demand service may include challenging the requestor toprovide a valid token. As an option, a token may be provided to therequestor. In this case, the token may be provided to the requestor in amessage (e.g. an email, a text message, etc.). The user may thenvalidate the token such that access to the on-demand service ispermitted.

In still another embodiment, managing the risk of access to theon-demand service by the requestor as a condition of permitting therequestor to access the on-demand service may include determiningwhether the requestor is permitted access by referencing at least onewhite list known only to the on-demand service. For example, theon-demand service may maintain or have access to a white list. The whitelist may be accessed and it may be determined, based on the white list,that the requestor is permitted to access the on-demand service. In thecontext of the present description, a white list refers to any listincluding trusted or accepted users and/or entities.

In yet another embodiment, managing the risk of access to the on-demandservice by the requestor as a condition of permitting the requestor toaccess the on-demand service may include determining whether therequestor is permitted access by referencing at least one black listknown only to the on-demand service. For example, the on-demand servicemay maintain or have access to a black list. The black list may beaccessed and it may be determined, based on the black list, that therequestor is not permitted to access the on-demand service. In thecontext of the present description, a black list refers to any listincluding untrusted or unaccepted users and/or entities. As an option,the white list and the black list may be combined into one list withindicators indicating whether an associated user and/or entity are partof the white list or black list (e.g. allowed or blocked, etc.).

It should be noted that, the request to access the on-demand service maybe received from the requestor in a variety of ways. For example, in oneembodiment, receiving the request to access the on-demand service mayinclude receiving a login request via a user interface. In this case,the requestor may provide login information using a user interface (e.g.a user interface associated with the on-demand service, etc.). Inanother embodiment, receiving the request to access the on-demandservice may include receiving a login request via an applicationprogramming interface (API). In this case, login information associatedwith the requestor or a device of the requestor may be provided using anAPI (e.g. an API associated with a local or remote application, etc.).

FIG. 2 illustrates a system 200 for managing a risk of access to anon-demand service 202 as a condition of permitting access to theon-demand service 202, in accordance with one embodiment. As an option,the present system 200 may be implemented in the context of the detailsof FIG. 1. Of course, however, the system 200 may be implemented in anydesired environment. The aforementioned definitions may apply during thepresent description.

As shown, the on-demand service 202 may include an on-demand databaseservice. In one embodiment, the on-demand database service 202 mayinclude a multi-tenant on-demand database service. In the presentdescription, such multi-tenant on-demand database service may includeany service that relies on a database system that is accessible over anetwork, in which various elements of hardware and software of thedatabase system may be shared by one or more customers. For instance, agiven application server may simultaneously process requests for a greatnumber of customers, and a given database table may store rows for apotentially much greater number of customers.

As shown, the on-demand database service 202 may communicate with aplurality of developers 204. In use, the on-demand database service 202is adapted to receive developed applications from the developers 204. Inthe context of the present description, the developers 204 may includeany one or more entities (e.g. individuals, corporation, organization,etc.) that develop computer code. Further, the applications may includeany computer code (e.g. a complete program, a partial program, a codesegment, etc.).

In addition, the on-demand database service 202 communicates with one ormore tenants 206 of the on-demand database service 202. In theaforementioned embodiment where the on-demand database service 202includes a multi-tenant on-demand database service, a plurality of thetenants 206 may exist. In any case, a tenant refers to any one or morepersons or entities that are capable of accessing the on-demand databaseservice 202, in the present description. For example, the tenant(s) 206may subscribe to the on-demand database service 202.

By this design, the on-demand database service 202 serves to provideaccess to the applications to the tenant(s) 206 of the on-demanddatabase service 202. In use, the aforementioned applications may beunder the control of the on-demand database service 202. Byadministering such control, an improved development/runtime framework,etc. is thereby provided.

In various embodiments, such control may be administered in any desiredmanner. For example, the on-demand database service 202 may enforce anydesired policies by precluding access to applications by the tenant(s)206, in situations where the applications do not adhere to the policies.In other embodiments, the on-demand database service 202 may enforcesuch policies by precluding or limiting functionality accessible to thedevelopers 204, in such non-compliant scenario. For example, publicationof an application to the on-demand database service 202 may bedisallowed in the absence of meeting certain requirements. In onespecific embodiment, the on-demand database service 202 may monitor andlimit various aspects of the applications and terminate related code,based on a dynamic contextual limiter. Of course, the foregoing controlmay be implemented in any desired manner.

In one embodiment, the aforementioned control may take the form oflimiting at least one aspect of the applications by the on-demanddatabase service 202. For instance, such aspect may relate toprocessing, storage, bandwidth, etc. resources made available to theapplications of the developers 204. By this design, the on-demanddatabase service 202 may be able constrain the developers in a way thatoptimizes the ability of the on-demand database service 202 to servicethe tenant(s) 206 via the applications.

In various embodiments, such resources-related aspect may involve adatabase associated with the on-demand database service 202, a manner inwhich such database may be accessed utilizing the applications, etc. Insuch embodiments, the foregoing aspect may include, but is not limitedto a number of columns of a database, a number of queries to a databasein a predetermined timeframe, a number of rows returned by queries, anumber of database statements (e.g. modification statements, etc.), anumber of script statements between database statements, a number ofrows processed (e.g. modified, etc.) in a predetermined timeframe, anumber of transaction statements, a total number of uncommitted rowssince a last transaction control statement, a total number of scriptstatements since a last database call, a duration of processing, etc.

Of course, such exemplary list is not to be construed as limiting. Forexample, any aspect of the on-demand database service 202 (e.g.electronic mail management, etc.) may also be limited as well. In onespecific instance, a number of e-mails one can send per request and/or anumber of outbound web service calls made per request, may be limited.In various embodiments, limits may be applied to an application on aper-request basis or on a per-time-period (e.g. per day) basis. In thelatter embodiment, such limitation may apply on a per-user or per-tenantbasis.

In still additional embodiments, access to the applications by thetenant(s) 206 of the on-demand database service 202 may be controlled.For instance, a single instance of each application may be instantiatedamong a plurality of the tenant(s) 206 of the on-demand database service202. Thus, only a single copy of the application need be stored by theon-demand database service 202, and simultaneously shared amongst thetenant(s) 206 in the foregoing manner.

It should be that the forgoing control may be static or dynamic, may ormay not be uniformly applied, etc. For example, the foregoing aspectsand related control criteria may or may not be different for differentapplications, tenants 206, etc. Just by way of example, the on-demanddatabase service 202 may allow for more resources when running anupgrade script, with respect to when running a per-row database trigger,etc. Further, the on-demand database service 202 may allow for moreresources for large tenants 206, etc.

In one embodiment, the on-demand database service 202 may be utilized tomanage a risk of access to the on-demand service 202 as a condition ofpermitting access thereto. In this case, the managing may includemanaging a risk of access to the on-demand service 202 by a requestertenant as a condition of permitting the requestor tenant to access theon-demand service. In this way, the management of such risk may lead toan improved security feature for accessing on-demand services.

For example, this management may help prevent phishers from accessing anaccount of one of the tenant(s) 206, if the tenant inadvertently loseslogin information (e.g. a username and password, etc.). In oneembodiment, this may be accomplished by determining whether a successfullogin has ever been completed for a particular user device (e.g. acomputer, mobile phone, PDA, etc.) from which a request for access hasbeen sent. If the device has previously been used to log into theon-demand service 202, access may again be allowed to the on-demandservice 202, given user login information is verified. If the device hasnot previously been used to log into the on-demand service 202, accessmay be prohibited until additional information is provided.

In one embodiment, the additional information may include informationassociated with a user of the device who is requesting access to theon-demand service (i.e. the requestor). In this case, it may bedesirable to further authenticate the user to determine if this user isthe valid holder of the credentials provided for login, or if the useris a fraudulent user who obtained the credentials.

As an example, a user may attempt to log into or access an on-demandservice from a computer that is not recognized or registered with theon-demand service. The on-demand service may then send the user anemail. The email may be sent to an email address stored by the on-demandservice that corresponds to login information provided by the user (e.g.a username, password, etc.). This email address may have been suppliedto an on-demand service provider upon subscription to the on-demandservice, for example.

In one embodiment, the email may include a link to the on-demanddatabase service and a unique token. Upon selection of the link by theuser, the token may be validated. If the validation is successful, thecomputer may be registered for that user.

In the case where a device sending the request is not recognized, twoscenarios may be present. First, a valid user may be logging in from anew machine. Second, a fraudulent user may be trying to login withstolen credentials. In the case of a valid user, the valid user receivethe email and be able to further authenticate the identity of the user.In the case of the fraudulent user, the fraudulent user will not receivethe email and thus will not perform the additional authentication step.

The authentication email may be generated as soon as the valid usernameand password are entered from a machine that is not recognized asregistered. As noted, this email may include a token. The token mayinclude any token or key capable of being utilized to validate a user.

In one embodiment, the token may include a Base-64 encoded querystringparameter that is AES 128-bit encrypted with a unique key for everyuser. Furthermore, as an option, there may be several parameters usedfor validation encrypted within the querystring. For example, in variousembodiments, the parameters may include a username (e.g. for therequestor, etc.), an entity identification (e.g. an organization IDassociated with the requestor, etc.), an IP address (e.g. indicatingwhere the request originated, etc.), a time stamp of initial request,and/or various other parameters capable of being used for validation.

As another option, the token may be a one time use token. In this case,after the token is used once, it may not be re-used. Furthermore, thetoken may be configured to expire after a predetermined amount of time.In one embodiment, the token may not be valid for longer than tenminutes. This may help prevent replay attacks. The time stamp of initialrequest parameter may be utilized to determine whether this timecriteria is met.

When a valid user receives the email, the user may then click on thelink, and in turn, validate the token and register the device that sentthe request. Once the token is validated at the on-demand service, theon-demand service may allow the user access and may set a machineidentifier on the user device such that, in the future, the device willbe recognized.

The machine identifier may be set using various techniques. For example,in one embodiment a cookie may be utilized to set the machineidentifier. In this case, the cookie may be a permanent cookie. Invarious other embodiments, the machine identifier may be set using flashlocal storage, userData (e.g. for Internet Explorer, etc.), and documentobject model (DOM) storage (e.g. for Firefox 2+, etc.).

In one embodiment, the machine identifier may be set using multiple orall of a cookie, flash local storage, userData, and DOM storage. As anoption, all of these may be set with the same value to minimize thenumber of times users are required to register a machine. For example,if a user chose to clear cookies every time the browser is closed, themachine identifier may be recreated by accessing one of the values thathas not been deleted. Additionally, a client side script may be utilizedto ensure that if one of these storage options is populated, the rest ofthe storage options are populated as well. In still other embodiments,the machine ID may be set in a querystring of a browser bookmarkcorresponding to the on-demand service.

In one embodiment, the machine identifier may be a token that has a longshelf life. In this case, the machine identifier may be configured toexpire after a predetermined amount of time to prevent malware fromstealing the password and cookie associated with the machine identifier.As an option, the machine identifier or an encrypted token including themachine identifier, may include a timestamp of when the machineidentifier was set and information about a user the machine identifieris associated with. As another option, the machine identifier may beassociated with an IP address.

When the on-demand service receives a machine identifier cookie, theon-demand service may validate that that the cookie is being used by thecorrect user and may analyze an associated time stamp. If the timestampis older than a predetermined amount of time (e.g. more than one weekold, etc.), a new machine identifier may be generated. Regenerating anew machine identifier may not require that the user re-register theuser device because the new cookie value may be set by the on-demandservice.

Any other machine identifier storage objects (e.g. a cookie, flash localstorage, userData, etc.) may also be updated on the side of the userdevice (i.e. the client side). Once the machine identifier is set, theuser device is registered. It should be noted that the machineidentifiers may be unique for every user and associated user device.

When a device of a user is already registered with the on-demandservice, the user may not need to perform any other functions toidentify themselves beyond initially providing a username and password.When the user logs in, the machine identifier cookie may be provided ina request for access to the on-demand service, along with the logincredentials. The machine identifier, the username, and password, etc.may be validated, and if everything is correct, the user may be allowedaccess to the on-demand service.

FIG. 3 shows a method 300 for managing a risk of access to an on-demandservice as a condition of permitting access to the on-demand service, inaccordance with another embodiment. As an option, the present method 300may be implemented in the context of the details of FIGS. 1-2. Ofcourse, however, the method 300 may be carried out in any desiredenvironment. Again, the aforementioned definitions may apply during thepresent description.

As shown, a login page is displayed to a user. See operation 302. Usingthis login page, a user may enter login information such as a usernameand password. This login information may be provided as a request foraccess to a server associated with an on-demand service. As an option,the request may also include a machine identifier (ID) of a device (e.g.a laptop computer, desktop computer, handheld computer, etc.) that theuser is using to perform the login.

Once the user enters in the login information, it is determined whetherthe username and password entered by the user are valid. See operation304. If the username and password are valid, it is determined whetherthe machine ID of the user device is valid. See operation 306.

In this case, validity of the machine ID may be determined by comparingthe machine ID to one or more machine IDs of devices associated with theuser. Information regarding the one or more machine IDs of the devicesassociated with the user may be accessible by the on-demand service. Ifit is determined that the machine ID is a valid machine ID, the user islogged in and allowed access to the on-demand service. See operation308.

If the machine ID is not recognized, and it determined that the machineID is not a valid machine ID, an email including a unique token is sentto the user. See operation 310. The user may then select a link providedin the email. See operation 312.

It is then determined whether the link is a valid link. See operation314. If the link is a valid link, the user is logged in and the machineID of the user device is set. See operation 316.

If it is determined that the link is not a valid link, an error messageis generated and displayed to the user. See operation 318. As an option,this error message may be displayed to the user using the login screen.

Using this technique, a request to access an on-demand service may bereceived from a requestor and it may be determined whether the requestis from a source providing risk. The risk of access to the on-demandservice may be assessed and managed as a condition of permitting therequestor to access the on-demand service. Thus, a user and anassociated device that is attempting to login to an on-demand servicemay be challenged, using a user interface, and/or using an API. Forexample, the API of the on-demand service may use a security token inorder to validate a computer of the user attempting to login. Theon-demand service may also check the computer attempting to loginagainst one or more white lists or black lists to assess the level ofrisk in permitting the login.

It should be noted that any individual challenge of the user credentialsor combination of challenges may be utilized. For example, a userinterface challenge may be utilized such that as a user logs into anon-demand service of an organization from an unknown IP address andbrowser, the user may be challenged. In this case, browsers may betracked using cookies and IP addresses may be tracked in an on-demandservice database. As noted above, the challenge may come in the form ofan email sent to an email account stored by the on-demand service andthe user may follow a link included in the email to login and registerthe computer.

As another example, API security tokens may be utilized. In this case,an API may require a security token to be utilized when an unknown IPaddress is encountered. The token may be issued via email and may followa life span of a user password. The token may be configured to work onany version of the API login call. Furthermore, in order to issue atoken, a user may access an interface to reset or set a security token.By using this interface, a user may request an email with the token.

In another case, unknown IP addresses may be identified as part of anidentification step. In order for a computer to become known based on anIP address, the on-demand service may locate the computer on a whitelist. The white list may include an entity or organization wide whitelist such that all members of the organization (e.g. users or tenants,etc.) are identified. This entity wide white list may be utilized toallow users to specify known IP ranges. As an option, the on-demandservice may be configured such that any ranges added to the entity widewhite list may not be challenged in the user interface or API.

FIG. 4A shows a user interface 400 for configuring the management of arisk to an on-demand service, in accordance with one embodiment. As anoption, the user interface 400 may be implemented in the context of thedetails of FIGS. 1-3. Of course, however, the user interface 400 may beimplemented in any desired environment. Further, the aforementioneddefinitions may apply during the present description.

As shown, the interface 400 shows a plurality of entities andcorresponding IP address ranges. In this case, a user may utilize theinterface 400 to manage trusted entities and corresponding IP addressranges. Using this interface 400, the user may click a “New” button toadd a new trusted IP address range.

FIG. 4B shows a user interface 410 for configuring the management of arisk to an on-demand service, in accordance with another embodiment. Asan option, the user interface 410 may be implemented in the context ofthe details of FIGS. 1-4A. Of course, however, the user interface 410may be implemented in any desired environment. The aforementioneddefinitions may apply during the present description.

As shown, the interface 410 may be utilized to add a new trusted IPaddress range. In this case, a user may be permitted to enter a range ofIP addresses including a start IP address and an end IP address.

FIG. 4C shows a user interface 420 for configuring the management of arisk to an on-demand service, in accordance with another embodiment. Asan option, the user interface 420 may be implemented in the context ofthe details of FIGS. 1-4B. Of course, however, the user interface 420may be implemented in any desired environment. Again, the aforementioneddefinitions may apply during the present description.

As shown, the interface 420 shows a plurality of entities andcorresponding IP address ranges. In this case, a user may utilize theinterface 420 to manage trusted and untrusted entities and correspondingIP address ranges. Using this interface 420, the user may allow or blockentities and corresponding IP address ranges.

System Overview

FIG. 5 illustrates a block diagram of an environment 510 wherein anon-demand database service might be used. As an option, any of thepreviously described embodiments of the foregoing figures may or may notbe implemented in the context of the environment 510. Environment 510may include user systems 512, network 514, system 516, processor system517, application platform 518, network interface 520, tenant datastorage 522, system data storage 524, program code 526, and processspace 528. In other embodiments, environment 510 may not have all of thecomponents listed and/or may have other elements instead of, or inaddition to, those listed above.

Environment 510 is an environment in which an on-demand database serviceexists. User system 512 may be any machine or system that is used by auser to access a database user system. For example, any of user systems512 can be a handheld computing device, a mobile phone, a laptopcomputer, a work station, and/or a network of computing devices. Asillustrated in FIG. 5 (and in more detail in FIG. 6) user systems 512might interact via a network with an on-demand database service, whichis system 516.

An on-demand database service, such as system 516, is a database systemthat is made available to outside users that do not need to necessarilybe concerned with building and/or maintaining the database system, butinstead may be available for their use when the users need the databasesystem (e.g., on the demand of the users). Some on-demand databaseservices may store information from one or more tenants stored intotables of a common database image to form a multi-tenant database system(MTS). Accordingly, “on-demand database service 516” and “system 516”will be used interchangeably herein. A database image may include one ormore database objects. A relational database management system (RDMS) orthe equivalent may execute storage and retrieval of information againstthe database object(s). Application platform 518 may be a framework thatallows the applications of system 516 to run, such as the hardwareand/or software, e.g., the operating system. In an embodiment, on-demanddatabase service 516 may include an application platform 518 thatenables creation, managing and executing one or more applicationsdeveloped by the provider of the on-demand database service, usersaccessing the on-demand database service via user systems 512, or thirdparty application developers accessing the on-demand database servicevia user systems 512.

The users of user systems 512 may differ in their respective capacities,and the capacity of a particular user system 512 might be entirelydetermined by permissions (permission levels) for the current user. Forexample, where a salesperson is using a particular user system 512 tointeract with system 516, that user system has the capacities allottedto that salesperson. However, while an administrator is using that usersystem to interact with system 516, that user system has the capacitiesallotted to that administrator. In systems with a hierarchical rolemodel, users at one permission level may have access to applications,data, and database information accessible by a lower permission leveluser, but may not have access to certain applications, databaseinformation, and data accessible by a user at a higher permission level.Thus, different users have different capabilities with regard toaccessing and modifying application and database information, dependingon a user's security or permission level.

Network 514 is any network or combination of networks of devices thatcommunicate with one another. For example, network 514 can be any one orany combination of a LAN (local area network), WAN (wide area network),telephone network, wireless network, point-to-point network, starnetwork, token ring network, hub network, or other appropriateconfiguration. As the most common type of computer network in currentuse is a TCP/IP (Transfer Control Protocol and Internet Protocol)network, such as the global internetwork of networks often referred toas the “Internet” with a capital “I” that network will be used in manyof the examples herein. However, it should be understood that thenetworks that the present invention might use are not so limited,although TCP/IP is a frequently implemented protocol.

User systems 512 might communicate with system 516 using TCP/IP and, ata higher network level, use other common Internet protocols tocommunicate, such as HTTP, FTP, AFS, WAP, etc. In an example where HTTPis used, user system 512 might include an HTTP client commonly referredto as a “browser” for sending and receiving HTTP messages to and from anHTTP server at system 516. Such an HTTP server might be implemented asthe sole network interface between system 516 and network 514, but othertechniques might be used as well or instead. In some implementations,the interface between system 516 and network 514 includes load sharingfunctionality, such as round-robin request distributors to balance loadsand distribute incoming HTTP requests evenly over a plurality ofservers. At least as for the users that are accessing that server, eachof the plurality of servers has access to the MTS' data; however, otheralternative configurations may be used instead.

In one embodiment, system 516, shown in FIG. 5, implements a web-basedcustomer relationship management (CRM) system. For example, in oneembodiment, system 516 includes application servers configured toimplement and execute CRM software applications as well as providerelated data, code, forms, webpages and other information to and fromuser systems 512 and to store to, and retrieve from, a database systemrelated data, objects, and Webpage content. With a multi-tenant system,data for multiple tenants may be stored in the same physical databaseobject, however, tenant data typically is arranged so that data of onetenant is kept logically separate from that of other tenants so that onetenant does not have access to another tenant's data, unless such datais expressly shared. In certain embodiments, system 516 implementsapplications other than, or in addition to, a CRM application. Forexample, system 516 may provide tenant access to multiple hosted(standard and custom) applications, including a CRM application. User(or third party developer) applications, which may or may not includeCRM, may be supported by the application platform 518, which managescreation, storage of the applications into one or more database objectsand executing of the applications in a virtual machine in the processspace of the system 516.

One arrangement for elements of system 516 is shown in FIG. 6, includinga network interface 520, application platform 518, tenant data storage522 for tenant data 523, system data storage 524 for system dataaccessible to system 516 and possibly multiple tenants, program code forimplementing various functions of system 516, and a process space 528for executing MTS system processes and tenant-specific processes, suchas running applications as part of an application hosting service.Additional processes that may execute on system 516 include databaseindexing processes.

Several elements in the system shown in FIG. 6 include conventional,well-known elements that are explained only briefly here. For example,each user system 512 could include a desktop personal computer,workstation, laptop, PDA, cell phone, or any wireless access protocol(WAP) enabled device or any other computing device capable ofinterfacing directly or indirectly to the Internet or other networkconnection. User system 512 typically runs an HTTP client, e.g., abrowsing program, such as Microsoft's Internet Explorer browser,Netscape's Navigator browser, Opera's browser, or a WAP-enabled browserin the case of a cell phone, FDA or other wireless device, or the like,allowing a user (e.g., subscriber of the multi-tenant database system)of user system 512 to access, process and view information, pages andapplications available to it from system 516 over network 514. Each usersystem 512 also typically includes one or more user interface devices,such as a keyboard, a mouse, trackball, touch pad, touch screen, pen orthe like, for interacting with a graphical user interface (GUI) providedby the browser on a display (e.g., a monitor screen, LCD display, etc.)in conjunction with pages, forms, applications and other informationprovided by system 516 or other systems or servers. For example, theuser interface device can be used to access data and applications hostedby system 516, and to perform searches on stored data, and otherwiseallow a user to interact with various GUI pages that may be presented toa user. As discussed above, embodiments are suitable for use with theInternet, which refers to a specific global internetwork of networks.However, it should be understood that other networks can be used insteadof the Internet, such as an intranet, an extranet, a virtual privatenetwork (VPN), a non-TCP/IP based network, any LAN or WAN or the like.

According to one embodiment, each user system 512 and all of itscomponents are operator configurable using applications, such as abrowser, including computer code run using a central processing unitsuch as an Intel Pentium® processor or the like. Similarly, system 516(and additional instances of an MTS, where more than one is present) andall of their components might be operator configurable usingapplication(s) including computer code to run using a central processingunit such as processor system 517, which may include an Intel Pentium®processor or the like, and/or multiple processor units. A computerprogram product embodiment includes a machine-readable storage medium(media) having instructions stored thereon/in which can be used toprogram a computer to perform any of the processes of the embodimentsdescribed herein. Computer code for operating and configuring system 516to intercommunicate and to process webpages, applications and other dataand media content as described herein are preferably downloaded andstored on a hard disk, but the entire program code, or portions thereof,may also be stored in any other volatile or non-volatile memory mediumor device as is well known, such as a ROM or RAM, or provided on anymedia capable of storing program code, such as any type of rotatingmedia including floppy disks, optical discs, digital versatile disk(DVD), compact disk (CD), microdrive, and magneto-optical disks, andmagnetic or optical cards, nanosystems (including molecular memory ICs),or any type of media or device suitable for storing instructions and/ordata. Additionally, the entire program code, or portions thereof, may betransmitted and downloaded from a software source over a transmissionmedium, e.g., over the Internet, or from another server, as is wellknown, or transmitted over any other conventional network connection asis well known (e.g., extranet, VPN, LAN, etc.) using any communicationmedium and protocols (e.g., TCP/IP, HTTP, HTTPS, Ethernet, etc.) as arewell known. It will also be appreciated that computer code forimplementing embodiments of the present invention can be implemented inany programming language that can be executed on a client system and/orserver or server system such as, for example, C, C++, HTML, any othermarkup language, Java™, JavaScript, ActiveX, any other scriptinglanguage, such as VBScript, and many other programming languages as arewell known may be used. (Java™ is a trademark of Sun Microsystems,Inc.).

According to one embodiment, each system 516 is configured to providewebpages, forms, applications, data and media content to user (client)systems 512 to support the access by user systems 512 as tenants ofsystem 516. As such, system 516 provides security mechanisms to keepeach tenant's data separate unless the data is shared. If more than oneMTS is used, they may be located in close proximity to one another(e.g., in a server farm located in a single building or campus), or theymay be distributed at locations remote from one another (e.g., one ormore servers located in city A and one or more servers located in cityB). As used herein, each MTS could include one or more logically and/orphysically connected servers distributed locally or across one or moregeographic locations. Additionally, the term “server” is meant toinclude a computer system, including processing hardware and processspace(s), and an associated storage system and database application(e.g., OODBMS or RDBMS) as is well known in the art. It should also beunderstood that “server system” and “server” are often usedinterchangeably herein. Similarly, the database object described hereincan be implemented as single databases, a distributed database, acollection of distributed databases, a database with redundant online oroffline backups or other redundancies, etc., and might include adistributed database or storage network and associated processingintelligence.

FIG. 6 also illustrates environment 510. However, in FIG. 6 elements ofsystem 516 and various interconnections in an embodiment are furtherillustrated. FIG. 6 shows that user system 512 may include processorsystem 512A, memory system 512B, input system 512C, and output system512D. FIG. 6 shows network 514 and system 516. FIG. 6 also shows thatsystem 516 may include tenant data storage 522, tenant data 523, systemdata storage 524, system data 525, User Interface (UI) 530. ApplicationProgram Interface (API) 632, PL/SOQL 634, save routines 636, applicationsetup mechanism 638, applications servers 600 ₁-600 _(N), system processspace 602, tenant process spaces 604, tenant management process space610, tenant storage area 612, user storage 614, and application metadata616. In other embodiments, environment 510 may not have the sameelements as those listed above and/or may have other elements insteadof, or in addition to, those listed above.

User system 512, network 514, system 516, tenant data storage 522, andsystem data storage 524 were discussed above in FIG. 5. Regarding usersystem 512, processor system 512A may be any combination of one or moreprocessors. Memory system 512B may be any combination of one or morememory devices, short term, and/or long term memory. Input system 512Cmay be any combination of input devices, such as one or more keyboards,mice, trackballs, scanners, cameras, and/or interfaces to networks.Output system 512D may be any combination of output devices, such as oneor more monitors, printers, and/or interfaces to networks. As shown byFIG. 6, system 516 may include a network interface 520 (of FIG. 5)implemented as a set of HTTP application servers 600, an applicationplatform 518, tenant data storage 522, and system data storage 524. Alsoshown is system process space 602, including individual tenant processspaces 604 and a tenant management process space 610. Each applicationserver 600 may be configured to tenant data storage 522 and the tenantdata 523 therein, and system data storage 524 and the system data 525therein to serve requests of user systems 512. The tenant data 523 mightbe divided into individual tenant storage areas 612, which can be eithera physical arrangement and/or a logical arrangement of data. Within eachtenant storage area 612, user storage 614 and application metadata 616might be similarly allocated for each user. For example, a copy of auser's most recently used (MRU) items might be stored to user storage614. Similarly, a copy of MRU items for an entire organization that is atenant might be stored to tenant storage area 612. A UI 630 provides auser interface and an API 632 provides an application programmerinterface to system 516 resident processes to users and/or developers atuser systems 512. The tenant data and the system data may be stored invarious databases, such as one or more Oracle™ databases.

Application platform 518 includes an application setup mechanism 638that supports application developers' creation and management ofapplications, which may be saved as metadata into tenant data storage522 by save routines 636 for execution by subscribers as one or moretenant process spaces 604 managed by tenant management process 610 forexample. Invocations to such applications may be coded using PL/SOQL 634that provides a programming language style interface extension to API632. A detailed description of some PL/SOQL language embodiments isdiscussed in commonly owned U.S. Provisional Patent Application60/828,192 entitled, “PROGRAMMING LANGUAGE METHOD AND SYSTEM FOREXTENDING APIS TO EXECUTE IN CONJUNCTION WITH DATABASE APIS,” by CraigWeissman, filed Oct. 4, 2006, which is incorporated in its entiretyherein for all purposes. Invocations to applications may be detected byone or more system processes, which manage retrieving applicationmetadata 616 for the subscriber making the invocation and executing themetadata as an application in a virtual machine.

Each application server 600 may be communicably coupled to databasesystems, e.g., having access to system data 525 and tenant data 523, viaa different network connection. For example, one application server 600₁ might be coupled via the network 514 (e.g., the Internet), anotherapplication server 600 _(N−1) might be coupled via a direct networklink, and another application server 600 _(N) might be coupled by yet adifferent network connection. Transfer Control Protocol and InternetProtocol (TCP/IP) are typical protocols for communicating betweenapplication servers 60) and the database system. However, it will beapparent to one skilled in the art that other transport protocols may beused to optimize the system depending on the network interconnect used.

In certain embodiments, each application server 600 is configured tohandle requests for any user associated with any organization that is atenant. Because it is desirable to be able to add and remove applicationservers from the server pool at any time for any reason, there ispreferably no server affinity for a user and/or organization to aspecific application server 600. In one embodiment, therefore, aninterface system implementing a load balancing function (e.g., an F5Big-IP load balancer) is communicably coupled between the applicationservers 600 and the user systems 512 to distribute requests to theapplication servers 600. In one embodiment, the load balancer uses aleast connections algorithm to route user requests to the applicationservers 600. Other examples of load balancing algorithms, such as roundrobin and observed response time, also can be used. For example, incertain embodiments, three consecutive requests from the same user couldhit three different application servers 600, and three requests fromdifferent users could hit the same application server 600. In thismanner, system 516 is multi-tenant, wherein system 516 handles storageof, and access to, different objects, data and applications acrossdisparate users and organizations.

As an example of storage, one tenant might be a company that employs asales force where each salesperson uses system 516 to manage their salesprocess. Thus, a user might maintain contact data, leads data, customerfollow-up data, performance data, goals and progress data, etc., allapplicable to that user's personal sales process (e.g., in tenant datastorage 522). In an example of a MTS arrangement, since all of the dataand the applications to access, view, modify, report, transmit,calculate, etc., can be maintained and accessed by a user system havingnothing more than network access, the user can manage his or her salesefforts and cycles from any of many different user systems. For example,if a salesperson is visiting a customer and the customer has Internetaccess in their lobby, the salesperson can obtain critical updates as tothat customer while waiting for the customer to arrive in the lobby.

While each user's data might be separate from other users' dataregardless of the employers of each user, some data might beorganization-wide data shared or accessible by a plurality of users orall of the users for a given organization that is a tenant. Thus, theremight be some data structures managed by system 516 that are allocatedat the tenant level while other data structures might be managed at theuser level. Because an MTS might support multiple tenants includingpossible competitors, the MTS should have security protocols that keepdata, applications, and application use separate. Also, because manytenants may opt for access to an MTS rather than maintain their ownsystem, redundancy, up-time, and backup are additional functions thatmay be implemented in the MTS. In addition to user-specific data andtenant-specific data, system 516 might also maintain system level datausable by multiple tenants or other data. Such system level data mightinclude industry reports, news, postings, and the like that are sharableamong tenants.

In certain embodiments, user systems 512 (which may be client systems)communicate with application servers 600 to request and updatesystem-level and tenant-level data from system 516 that may requiresending one or more queries to tenant data storage 522 and/or systemdata storage 524. System 516 (e.g. an application server 600 in system516) automatically generates one or more SQL statements (e.g. one ormore SQL queries) that are designed to access the desired information.System data storage 524 may generate query plans to access the requesteddata from the database.

Each database can generally be viewed as a collection of objects, suchas a set of logical tables, containing data fitted into predefinedcategories. A “table” is one representation of a data object, and may beused herein to simplify the conceptual description of objects and customobjects according to the present invention. It should be understood that“table” and “object” may be used interchangeably herein. Each tablegenerally contains one or more data categories logically arranged ascolumns or fields in a viewable schema. Each row or record of a tablecontains an instance of data for each category defined by the fields.For example, a CRM database may include a table that describes acustomer with fields for basic contact information such as name,address, phone number, fax number, etc. Another table might describe apurchase order, including fields for information such as customer,product, sale price, date, etc. In some multi-tenant database systems,standard entity tables might be provided for use by all tenants. For CRMdatabase applications, such standard entities might include tables forAccount, Contact, Lead, and Opportunity data, each containingpre-defined fields. It should be understood that the word “entity” mayalso be used interchangeably herein with “object” and “table”.

In some multi-tenant database systems, tenants may be allowed to createand store custom objects, or they may be allowed to customize standardentities or objects, for example by creating custom fields for standardobjects, including custom index fields. U.S. patent application Ser. No.10/817,161, filed Apr. 2, 2004, entitled “CUSTOM ENTITIES AND FIELDS INA MULTI-TENANT DATABASE SYSTEM,” which is hereby incorporated herein byreference, teaches systems and methods for creating custom objects aswell as customizing standard objects in a multi-tenant database system.In certain embodiments, for example, all custom entity data rows arestored in a single multi-tenant physical table, which may containmultiple logical tables per organization. It is transparent to customersthat their multiple “tables” are in fact stored in one large table orthat their data may be stored in the same table as the data of othercustomers.

It should be noted that any of the different embodiments describedherein may or may not be equipped with any one or more of the featuresset forth in one or more of the following published applications:US2003/0233404, titled “OFFLINE SIMULATION OF ONLINE SESSION BETWEENCLIENT AND SERVER,” filed Nov. 4, 2002; US2004/0210909, titled “JAVAOBJECT CACHE SERVER FOR DATABASES,” filed Apr. 17, 2003, now issued U.S.Pat. No. 7,209,929; US2005/0065925, titled “QUERY OPTIMIZATION IN AMULTI-TENANT DATABASE SYSTEM,” filed Sep. 23, 2003; US2005/0223022,titled “CUSTOM ENTITIES AND FIELDS IN A MULTI-TENANT DATABASE SYSTEM,”filed Apr. 2, 2004; US2005/0283478, titled “SOAP-BASED WEB SERVICES IN AMULTI-TENANT DATABASE SYSTEM,” filed Jun. 16, 2004; and/orUS2006/0206834, titled “SYSTEMS AND METHODS FOR IMPLEMENTINGMULTI-APPLICATION TABS AND TAB SETS,” filed Mar. 8, 2005; which are eachincorporated herein by reference in their entirety for all purposes.

While the invention has been described by way of example and in terms ofthe specific embodiments, it is to be understood that the invention isnot limited to the disclosed embodiments. To the contrary, it isintended to cover various modifications and similar arrangements aswould be apparent to those skilled in the art. Therefore, the scope ofthe appended claims should be accorded the broadest interpretation so asto encompass all such modifications and similar arrangements.

The invention claimed is:
 1. A method, comprising: receiving a requestto access an on-demand service from a requestor at the on-demandservice, the request including credentials for logging into theon-demand service; determining, utilizing a hardware processor, that therequestor from which the request to access the on-demand service isreceived is a potentially risky source, the determination being based atleast on: information about the requestor, and information about one ofa plurality of entities of the on-demand service to which the access isrequested, wherein the information about the one of the plurality ofentities is stored by the on-demand service; in response to the requestto access the on-demand service and the determination that the requestoris the potentially risky source, managing access to the on-demandservice by: identifying information previously stored in associationwith the credentials that were received in the request to access theon-demand service, the information previously stored in association withthe credentials indicating a message destination, sending, by theon-demand service, a token to the message destination, after sending thetoken to the message destination, challenging the requestor to providethe token to the on-demand service, determining whether the token isprovided by the requestor to the on-demand service in response to thechallenge, identifying the requestor as authenticated in response to adetermination that the token is provided by the requestor to theon-demand service, and permitting the requested access to the on-demandservice by the authenticated requestor, and identifying the requestor asnon-authenticated in response to a determination that the token is notprovided by the requestor to the on-demand service, and prohibiting therequested access to the on-demand service by the non-authenticatedrequestor.
 2. The method of claim 1, wherein the on-demand serviceincludes an on-demand database service.
 3. The method of claim 2,wherein the on-demand service includes a multi-tenant on-demand databaseservice.
 4. The method of claim 1, wherein managing access to theon-demand service further includes generating the token.
 5. The methodof claim 4, wherein the token is generated in response to a validusername and a valid password being entered by the requestor.
 6. Themethod of claim 5, wherein the token generated in response to the validusername and the valid password entered by the requestor is generatedbased on the valid username.
 7. The method of claim 1, wherein thedetermination that the requestor is the potentially risky source isfurther based at least on a device associated with the requestor.
 8. Themethod of claim 7, wherein it is determined that the requestor is thepotentially risky source because the device associated with therequestor has not previously been associated with at least one of aplurality of users identified by the information about the one of theplurality of entities of the on-demand service to which the access isrequested.
 9. The method of claim 7, wherein it is determined that therequestor is the potentially risky source because the device associatedwith the requestor has previously been associated with at least one of aplurality of users identified by the information about the one of theplurality of entities of the on-demand service to which the access isrequested.
 10. The method of claim 1, wherein determining that therequestor is the potentially risky source includes comparing theinformation about the requestor with a list of at least one of users andentities pre-determined to be granted access to the on-demand service.11. A computer program product, comprising a non-transitory computerusable medium having a computer readable program code embodied therein,the computer readable program code adapted to be executed to cause acomputer to implement a method comprising: receiving a request to accessan on-demand service from a requestor at the on-demand service, therequest including credentials for logging into the on-demand service;determining that the requestor from which the request to access theon-demand service is received is a potentially risky source, thedetermination being based at least on: information about the requestor,and information about one of a plurality of entities of the on-demandservice to which the access is requested, wherein the information aboutthe one of the plurality of entities is stored by the on-demand service;in response to the request to access the on-demand service and thedetermination that the requestor is the potentially risky source,managing access to the on-demand service by: identifying informationpreviously stored in association with the credentials that were receivedin the request to access the on-demand service, the informationpreviously stored in association with the credentials indicating amessage destination, sending, by the on-demand service, a token to themessage destination, after sending the token to the message destination,challenging the requestor to provide the token to the on-demand service,determining whether the token is provided by the requester to theon-demand service in response to the challenge, identifying therequestor as authenticated in response to a determination that the tokenis provided by the requestor to the on-demand service, and permittingthe requested access to the on-demand service by the authenticatedrequestor, and identifying the requestor as non-authenticated inresponse to a determination that the token is not provided by therequestor to the on-demand service, and prohibiting the requested accessto the on-demand service by the non-authenticated requestor.
 12. Anapparatus, comprising: a hardware processor; and one or more storedsequences of instructions which, when executed by the hardwareprocessor, cause the hardware processor to carry out the steps of:receiving a request to access an on-demand service from a requestor atthe on-demand service, the request including credentials for logginginto the on-demand service; determining that the requestor from whichthe request to access the on-demand service is received is a potentiallyrisky source, the determination being based at least on: informationabout the requestor, and information about one of a plurality ofentities of the on-demand service to which the access is requested,wherein the information about the one of the plurality of entities isstored by the on-demand service; in response to the request to accessthe on-demand service and the determination that the requestor is thepotentially risky source, managing access to the on-demand service by:identifying information previously stored in association with thecredentials that were received in the request to access the on-demandservice, the information previously stored in association with thecredentials indicating a message destination, sending, by the on-demandservice, a token to the message destination, after sending the token tothe message destination, challenging the requestor to provide the tokento the on-demand service, determining whether the token is provided bythe requestor to the on-demand service in response to the challenge,identifying the requestor as authenticated in response to adetermination that the token is provided by the requestor to theon-demand service, and permitting the requested access to the on-demandservice by the authenticated requestor, and identifying the requestor asnon-authenticated in response to a determination that the token is notprovided by the requestor to the on-demand service, and prohibiting therequested access to the on-demand service by the non-authenticatedrequestor.